Concerned about Security in the #Cloud? – This is what you should ask your cloud service provider
You are coming from a line of business and have seen the benefits that cloud services can bring to your organization and want to leverage them?
You don’t have the technical background as your IT colleague has, but you are also concerned that your critical data is stored in and accessible via the cloud?
Here is a list of questions that you should ask a cloud service provider, when thinking about running cloud solutions. If your cloud service provider can address them, it’s the one of your choice… and should be good to stand in front of your IT department.
The questions are structured according to the top security concerns in the cloud.
SaaS architectures involve Web-based applications and communication that occurs via the internet. The questions that should be asked here are:
- How are authorizations for data access handled?
- How is the communication between us and the vendor secured? What kinds of encryption protocols are used? SSL or TLS?
- Are the communication channels encrypted using a Wide Area Network (WAN) or Virtual Private Network (VPN)?
- How can be ensured that only authorized users can access my critical data?
- How is the protection of passwords managed?
- Is the access of information relied on a centralized administrator account?
Giving your critical data in the hands of your cloud service provider requires trust. Thus it’s important to know where it is stored and how it is protected. To have peace of mind the following questions should be processed:
- In which country/countries are you running your data centers?
- Can I choose in which country my data is stored?
- Do government regulations, such as export control rules, prohibit specific company data from being stored outside the country?
- How is the physical entrance to the data center managed?
- What happens when a natural disaster occurs?
- What disaster protection measures are in place?
- Does any data center have the same technical standards no matter in which location it is?
- Do you comply with location specific requirements?
In a SaaS model, your data is stored in the data center of the vendor together with data from other companies. Thus, the following questions should be answered and compliance regulations should be addressed:
- Is there a risk of losing data?
- What procedures guarantee availability?
- Where are backups stored?
- Can you ensure that heterogeneous data is separated for each customer?
- Can you read my data?
- Do every of your data centers have the same technical standards no matter in which location it is?
- Do data protection laws allow employee data to be stored in the cloud
- Is web access offered with one set of database tables which is shared by many customers or do I have my own to segregate my data?
- Is data base and file system encryption supported?
- Is each level, not only the top tiers (application, web) secured, my data is moving through?
Your provider must ensure that the general capabilities of secure and stable IT operations comply with industry standards and technology best practices. To achieve it, your vendor should be able to answers the following questions:
- Which requirements are met by the information security management system?
- Are system operations secured by international- and country-specific certifications such as ISO27001, ISAE3402 or SSAE16?
- How is the network isolated?
- Beyond the cloud server environment, is the administrator client infrastructure also secure?
- Do you comply with standards that confirm the reliability of your internal processes?
- Are you conforming to auditing standards and can you provide a Service Organization Control Report?
Data Transmission & Flow Control
SaaS uses the public internet to transmit data and therefore transmission security is required. Here the questions to be answered:
- Is transmission security designed into the system?
- Which connections between the customer and vendor are used by the provided solutions?
- What functions do the solutions use to prevent eavesdropping, tampering or eavesdropping?
- How is the web communication secured?
- Are outgoing messages from the solution encrypted and how?
- Is physical data transfer possible and how is it secured?
- What security policies are in place? Are they up to date?
- Do your employees have to read, understand and sign security acknowledgements?
- Do your employees get security training?
- Do they have to pass tests?
- Do you meet the latest compliance standards?
SAP is dealing with critical customer data over decades and runs secure. This knowledge built up is used to protect your data in and around the cloud.
But Security it is not only about Certification & Data-center. The concept of a vendor needs to go far beyond that. It needs to address the operation of data, storage of data and e.g. the portability of my data because I might want it today on-premise and tomorrow in the cloud.
See more in depth information from my colleagues and experts here:
- The Best Security for Your Cloud Part 2: Information Security and Data Protection in SaaS Applications
Last but not least one major aspect should be highlighted when it comes to security – the culture.
Employees of a cloud vendor should have this security thinking implanted in their DNA. Be careful with your passwords. Lock your devices whenever you’re not working with them. Take security serious at an early stage of developing new software. Employees of SAP are experts in that topic. Every employee gets a wide range of security training and has to pass tests on a regular base.
Any remarks? If yes, please let us know. We are happy to engage with you.
Follow us on twitter to stay informed about the hot topics around the cloud.
Sven Denecken (@SDenecken) and Nikolai Vetter (@NikolaiVetter)
Read other relevant blogs:
The 1-2-3 of Cloud Security at SAP
SAP Cloud – Quarterly update Q1 2014 by @SDenecken
10 #Cloud Computing Trends for 2014
Clearing the Clouds around the Cloud
Thanks for the list, it is comprehensive. I would also add that the SaaS and other cloud models require a robust approach to vendor management. The safeguards provided by the cloud providers are elements of vendor delivery while the same protections are managed directly in an on premise model.
Thanks. Nice information, collated and listed. Also if there could be specific information on how to move your BI applications to the clouds, precautions to take, things to do from the technical perspective as a end user, that would be great.
Any further links on that please ?
Am specifically looking for - understanding of moving of BI servers of Business Objects into the cloud. I remember some mentioning of support of BO on AWS during Teched. So it should be supported as well, whichever cloud a customer wants to move.
All suggestions, ideas welcome.
I personally am generally suspicious with cloud providers and companies that claim to be experienced SAP hosting providers. These questions have the risk of oversimplifying a very complex issue. The intentions behind the questions are good and actually for the most part should be a general best practice for any data center operation. However, you trust the service provider to answer them truthfully. I doubt any service provider would respond with 'Yes' to the question whether there is a risk of data loss even if their storage unit just blew up.
In general before a customer can even think of engaging a cloud service provider, they should themselves some questions:
A customer wants to know whether a cloud service provider is secure or not. However, compliance has nothing to do with security. Compliance is a side effect of a secure environment. As soon as compliance is the driver for security, people will cut corners and only do the minimum required to achieve compliance goals.
Some cloud service provider have big logos on their web sites stating that they are compliant with whatever standard. If you dig deeper then you see that in sometimes this logo only refers to a very small part of the big picture (for example the authentication mechanisms). In most cases it's not even visible what the scope of the certification is.
My personal approach: anything you can't verify is is not true. A cloud service provider wants your business. They don't have your interests in mind. I know this because I worked with many hosting and service providers on both sides (as a customer and as an employee)
Given that, the real questions I would ask are:
If the service provider fails with the above questions, the final question you should ask yourself:
I'm not against outsourcing or cloud services, but the questions above don't mean anything if they can't be verified or validated. Way too often customers are blinded by weak SLAs or wrong expectations.
Classic risk management falls short on cloud service providers due to the lack of transparency. If you don't know what goes on internally at the service provider then how would you do a risk assessment on that provider?
A interesting link regarding cloud security: https://cloudsecurityalliance.org/